Class ConfluentTrustManager

java.lang.Object
javax.net.ssl.X509ExtendedTrustManager
io.confluent.kafka.server.plugins.ssl.ConfluentTrustManager
All Implemented Interfaces:
TrustManager, X509TrustManager
Direct Known Subclasses:
NetworkLinkTrustManager

public class ConfluentTrustManager extends X509ExtendedTrustManager
Custom trust manager for validating client and server certificates in Confluent Cloud.

This trust manager supports multiple certificate validation strategies for inbound connections where the broker acts as a TLS server accepting mTLS client authentication:

Certificate Validation Priority:

  1. SPIRE Validation: If SPIRE is enabled, validates client certificates using the SPIFFE trust manager for service-to-service authentication.
  2. Server Certificate as Client Certificate: If useServerCertForClientAuth is enabled, accepts server certificates (e.g., Let's Encrypt) for client authentication by using checkServerTrusted() instead of checkClientTrusted(). This bypasses EKU (Extended Key Usage) validation that would reject server-only certs.
  3. Default Validation: Validates that the certificate belongs to Confluent Cloud by checking the Subject Alternative Name (SAN), then delegates to the default trust manager for chain validation.

Configuration:

  • ConfluentConfigs.SPIRE_SERVERSIDE_VALIDATION_ENABLED - Enable SPIRE validation on server-side
  • ConfluentConfigs.MTLS_USE_SERVER_CERT_FOR_CLIENT_AUTH_SERVERSIDE_ENABLED - Accept server certificates for client authentication on server-side (supports dynamic configuration update)